Yes, you need to have the Class 25 attribute be "OU=GroupPolicy" and the user must be a member of a group named "GroupPolicy" in Active Directory. You must use a RADIUS server to send back the attribute. What kind of RADIUS server are you using?
I use Microsoft IAS. But I have already created different AD groups and set up accordingly in the ASA. So it works when the users manually select which policy/profile to use during login.
But now that I've got 3-4 different scenarios (ad group memberships or ASA profiles) I want the ASA to be able to hide the profile drop-down box (I know how to do that) and then select the proper policy/profile automatically based on which AD group the user is a member of.
For each different scenario you will need to have a separate AD group (which it sounds like you already have). On the ASA, you will need to create a Group Policy for each AD group. I believe the drop down box lets a user select the tunnel group/connection policy. You only need to use one tunnel group. Set a default group policy for this tunnel group. When a user connects on this tunnel group, types in their username and password, the AD group that matches the Group Policy will be dynamically assigned to that user which bypasses the Group policy that is assigned to the user. These Group Policies need to be named exactly the same for this to work. So it would probably be easier to rename the AD group names to match the Group Policies on the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...